Add SBOMEnabled field to CWSFeatureConfig for "package in use" feature

Adds spec.features.cws.sbomEnabled to the DatadogAgent CRD, enabling
the CWS SBOM resolver to track runtime package usage. When enabled,
system-probe maps file accesses to packages and enriches SBOMs with
LastSeenRunning timestamps. The env var DD_RUNTIME_SECURITY_CONFIG_SBOM_ENABLED
is set on both system-probe and core agent containers.

Author: 0intro

api/datadoghq/v2alpha1/datadogagent_types.go

@@ -509,6 +509,13 @@ type CWSFeatureConfig struct {
 	// +optional
 	DirectSendFromSystemProbe *bool `json:"directSendFromSystemProbe,omitempty"`
 
+	// Enables the SBOM resolver to track runtime package usage.
+	// When enabled, system-probe maps file accesses to packages and enriches
+	// SBOMs with LastSeenRunning timestamps ("package in use" feature).
+	// Default: false
+	// +optional
+	SBOMEnabled *bool `json:"sbomEnabled,omitempty"`
+
 	Enforcement         *CWSEnforcementConfig         `json:"enforcement,omitempty"`
 	Network             *CWSNetworkConfig             `json:"network,omitempty"`
 	SecurityProfiles    *CWSSecurityProfilesConfig    `json:"securityProfiles,omitempty"`

api/datadoghq/v2alpha1/zz_generated.deepcopy.go

@@ -1374,6 +1374,13 @@ spec:
                                 Default: true
                               type: boolean
                           type: object
+                        sbomEnabled:
+                          description: |-
+                            Enables the SBOM resolver to track runtime package usage.
+                            When enabled, system-probe maps file accesses to packages and enriches
+                            SBOMs with LastSeenRunning timestamps ("package in use" feature).
+                            Default: false
+                          type: boolean
                         securityProfiles:
                           properties:
                             enabled:
@@ -9806,6 +9813,13 @@ spec:
                                     Default: true
                                   type: boolean
                               type: object
+                            sbomEnabled:
+                              description: |-
+                                Enables the SBOM resolver to track runtime package usage.
+                                When enabled, system-probe maps file accesses to packages and enriches
+                                SBOMs with LastSeenRunning timestamps ("package in use" feature).
+                                Default: false
+                              type: boolean
                             securityProfiles:
                               properties:
                                 enabled:

config/crd/bases/v1/datadoghq.com_datadogagentinternals.yaml

@@ -1369,6 +1369,10 @@
                   },
                   "type": "object"
                 },
+                "sbomEnabled": {
+                  "description": "Enables the SBOM resolver to track runtime package usage.\nWhen enabled, system-probe maps file accesses to packages and enriches\nSBOMs with LastSeenRunning timestamps (\"package in use\" feature).\nDefault: false",
+                  "type": "boolean"
+                },
                 "securityProfiles": {
                   "additionalProperties": false,
                   "properties": {
@@ -9538,6 +9542,10 @@
                       },
                       "type": "object"
                     },
+                    "sbomEnabled": {
+                      "description": "Enables the SBOM resolver to track runtime package usage.\nWhen enabled, system-probe maps file accesses to packages and enriches\nSBOMs with LastSeenRunning timestamps (\"package in use\" feature).\nDefault: false",
+                      "type": "boolean"
+                    },
                     "securityProfiles": {
                       "additionalProperties": false,
                       "properties": {

config/crd/bases/v1/datadoghq.com_datadogagentinternals_v1alpha1.json

@@ -1374,6 +1374,13 @@ spec:
                                     Default: true
                                   type: boolean
                               type: object
+                            sbomEnabled:
+                              description: |-
+                                Enables the SBOM resolver to track runtime package usage.
+                                When enabled, system-probe maps file accesses to packages and enriches
+                                SBOMs with LastSeenRunning timestamps ("package in use" feature).
+                                Default: false
+                              type: boolean
                             securityProfiles:
                               properties:
                                 enabled:

config/crd/bases/v1/datadoghq.com_datadogagentprofiles.yaml

@@ -1373,6 +1373,10 @@
                       },
                       "type": "object"
                     },
+                    "sbomEnabled": {
+                      "description": "Enables the SBOM resolver to track runtime package usage.\nWhen enabled, system-probe maps file accesses to packages and enriches\nSBOMs with LastSeenRunning timestamps (\"package in use\" feature).\nDefault: false",
+                      "type": "boolean"
+                    },
                     "securityProfiles": {
                       "additionalProperties": false,
                       "properties": {

config/crd/bases/v1/datadoghq.com_datadogagentprofiles_v1alpha1.json

@@ -1378,6 +1378,13 @@ spec:
                                 Default: true
                               type: boolean
                           type: object
+                        sbomEnabled:
+                          description: |-
+                            Enables the SBOM resolver to track runtime package usage.
+                            When enabled, system-probe maps file accesses to packages and enriches
+                            SBOMs with LastSeenRunning timestamps ("package in use" feature).
+                            Default: false
+                          type: boolean
                         securityProfiles:
                           properties:
                             enabled:
@@ -9886,6 +9893,13 @@ spec:
                                     Default: true
                                   type: boolean
                               type: object
+                            sbomEnabled:
+                              description: |-
+                                Enables the SBOM resolver to track runtime package usage.
+                                When enabled, system-probe maps file accesses to packages and enriches
+                                SBOMs with LastSeenRunning timestamps ("package in use" feature).
+                                Default: false
+                              type: boolean
                             securityProfiles:
                               properties:
                                 enabled:

config/crd/bases/v1/datadoghq.com_datadogagents.yaml

@@ -1369,6 +1369,10 @@
                   },
                   "type": "object"
                 },
+                "sbomEnabled": {
+                  "description": "Enables the SBOM resolver to track runtime package usage.\nWhen enabled, system-probe maps file accesses to packages and enriches\nSBOMs with LastSeenRunning timestamps (\"package in use\" feature).\nDefault: false",
+                  "type": "boolean"
+                },
                 "securityProfiles": {
                   "additionalProperties": false,
                   "properties": {
@@ -9631,6 +9635,10 @@
                       },
                       "type": "object"
                     },
+                    "sbomEnabled": {
+                      "description": "Enables the SBOM resolver to track runtime package usage.\nWhen enabled, system-probe maps file accesses to packages and enriches\nSBOMs with LastSeenRunning timestamps (\"package in use\" feature).\nDefault: false",
+                      "type": "boolean"
+                    },
                     "securityProfiles": {
                       "additionalProperties": false,
                       "properties": {

config/crd/bases/v1/datadoghq.com_datadogagents_v2alpha1.json

@@ -98,6 +98,7 @@ spec:
 | features.cws.enforcement.enabled | Enables Enforcement for Cloud Workload Security. Default: true |
 | features.cws.network.enabled | Enables Cloud Workload Security Network detections. Default: true |
 | features.cws.remoteConfiguration.enabled | Enables Remote Configuration for Cloud Workload Security. Default: true |
+| features.cws.sbomEnabled | Enables the SBOM resolver to track runtime package usage. When enabled, system-probe maps file accesses to packages and enriches SBOMs with LastSeenRunning timestamps ("package in use" feature). Default: false |
 | features.cws.securityProfiles.enabled | Enables Security Profiles collection for Cloud Workload Security. Default: true |
 | features.cws.syscallMonitorEnabled | SyscallMonitorEnabled enables Syscall Monitoring (recommended for troubleshooting only). Default: false |
 | features.dataPlane.dogstatsd.enabled | Configures the Data Plane to handle DogStatsD traffic. When enabled, DogStatsD is disabled in the Core Agent. Default: false |

docs/configuration.v2alpha1.md

@@ -159,6 +159,9 @@ spec:
 `features.cws.remoteConfiguration.enabled`
 : Enables Remote Configuration for Cloud Workload Security. Default: true
 
+`features.cws.sbomEnabled`
+: Enables the SBOM resolver to track runtime package usage. When enabled, system-probe maps file accesses to packages and enriches SBOMs with LastSeenRunning timestamps ("package in use" feature). Default: false
+
 `features.cws.securityProfiles.enabled`
 : Enables Security Profiles collection for Cloud Workload Security. Default: true